Clear dangling pointer

NewTabButton::OnMouseReleased sets a member variable to point at a local
variable, and leaves that pointer set after the local variable is
"freed" (i.e.; after the function returns). That pointer is dereferenced
during the destructor with undefined consequences. The fix is to zero
the pointer before returning.

A smart object that does this in its destructor would be safer, but is
out of scope for now.

I audited the other seven instances of this pattern that I could find
and they are all fine.

Bug: 1152152
Change-Id: Ia52d0abb80485503e9c2ae074e98ed12d654cbe2
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2578011Reviewed-by: Allen Bauer <kylixrd@chromium.org>
Commit-Queue: Bruce Dawson <brucedawson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#834519}

chrome/browser/ui/views/tabs/new_tab_button.cc

@@ -132,8 +132,12 @@ void NewTabButton::OnMouseReleased(const ui::MouseEvent& event) {
   bool destroyed = false;
   destroyed_ = &destroyed;
   views::ShowSystemMenuAtScreenPixelLocation(views::HWNDForView(this), point);
-  if (!destroyed)
+  if (!destroyed) {
     SetState(views::Button::STATE_NORMAL);
+    // Zero this pointer to avoid dangling references to the local that will
+    // soon go out of scope. Only do this if the object was not destroyed.
+    destroyed_ = nullptr;
+  }
 }
 #endif